feat: 扩展风险规则体系、审批动态路由与预算中心列表化改造

- 新增 25+ 条风险规则（预算/报销/申请/通用类），完善风险规则模拟与反馈发布机制
- 引入费用审批动态路由、平台风险分级、预审与风险阶段管理
- 预算中心列表化改造，优化票据夹仪表盘与数字员工工作看板
- 新增 Hermes 风险线索收集器、Agent 链路追踪中心
- 扩展数字员工能力库（18 个领域 Skill）与交通费用自动预估
- 完善报销申请快速预览、权限控制与前端测试覆盖

server/tests/test_reimbursement_endpoints.py

@@ -15,6 +15,7 @@ from app.db.base import Base
 from app.main import create_app
 from app.models.employee import Employee
 from app.models.financial_record import ExpenseClaim, ExpenseClaimItem
+from app.models.organization import OrganizationUnit
 from app.models.role import Role
 from app.schemas.ocr import OcrRecognizeBatchRead, OcrRecognizeDocumentRead
 from app.services.expense_claim_attachment_storage import ExpenseClaimAttachmentStorage
@@ -367,11 +368,32 @@ def test_approve_claim_endpoint_routes_direct_manager_claim_to_finance_review()
 def test_approve_application_endpoint_routes_direct_manager_review_to_budget_review() -> None:
     client, session_factory = build_client()
     with session_factory() as db:
+        department = OrganizationUnit(
+            id="dept-1",
+            unit_code="DELIVERY-API",
+            name="交付部",
+            unit_type="department",
+        )
+        budget_role = Role(
+            id="role-budget-application-approve-1",
+            role_code="budget_monitor",
+            name="预算监控员",
+        )
         manager = Employee(
             id="mgr-application-approve-1",
             employee_no="E21002",
             name="李经理",
             email="manager-application-approve-api@example.com",
+            organization_unit=department,
+        )
+        budget_manager = Employee(
+            id="budget-application-approve-1",
+            employee_no="E31002",
+            name="赵预算",
+            email="budget-application-approve-api@example.com",
+            grade="P8",
+            organization_unit=department,
+            roles=[budget_role],
         )
         employee = Employee(
             id="emp-application-approve-1",
@@ -379,6 +401,7 @@ def test_approve_application_endpoint_routes_direct_manager_review_to_budget_rev
             name="张三",
             email="zhangsan-application-approve-api@example.com",
             manager=manager,
+            organization_unit=department,
         )
         claim = ExpenseClaim(
             id="claim-application-approve-1",
@@ -398,9 +421,16 @@ def test_approve_application_endpoint_routes_direct_manager_review_to_budget_rev
             submitted_at=datetime(2026, 5, 25, 10, 0, tzinfo=UTC),
             status="submitted",
             approval_stage="直属领导审批",
-            risk_flags_json=[],
+            risk_flags_json=[
+                {
+                    "source": "submission_review",
+                    "severity": "high",
+                    "label": "申请风险复核",
+                    "message": "申请金额和行程安排需要预算管理者二次确认。",
+                }
+            ],
         )
-        db.add_all([manager, employee, claim])
+        db.add_all([department, budget_role, manager, budget_manager, employee, claim])
         db.commit()
 
     response = client.post(
@@ -424,6 +454,7 @@ def test_approve_application_endpoint_routes_direct_manager_review_to_budget_rev
         and item["operator"] == "李经理"
         and item["next_status"] == "submitted"
         and item["next_approval_stage"] == "预算管理者审批"
+        and item["next_approver_name"] == "赵预算"
         for item in payload["risk_flags_json"]
     )
 
@@ -555,3 +586,25 @@ def test_claim_item_delete_removes_item_and_attachment(monkeypatch, tmp_path) ->
         headers=headers,
     )
     assert deleted_meta_response.status_code == 404
+
+
+def test_claim_delete_allows_draft_owner_by_employee_id_without_employee_no_header(monkeypatch, tmp_path) -> None:
+    monkeypatch.setattr(ExpenseClaimAttachmentStorage, "root", lambda self: tmp_path)
+
+    client, session_factory = build_client()
+    with session_factory() as db:
+        claim, _ = seed_claim(db)
+        claim_id = claim.id
+
+    response = client.delete(
+        f"/api/v1/reimbursements/claims/{claim_id}",
+        headers={"x-auth-username": "emp-1", "x-auth-name": "Browser Session User"},
+    )
+
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["claim_id"] == claim_id
+    assert payload["status"] == "deleted"
+
+    with session_factory() as db:
+        assert db.get(ExpenseClaim, claim_id) is None